By: Andrew Ciulla
The United Kingdom’s Age-Appropriate Design Code (“AADC”) is the model for current United States legislation calling for greater protection of children on the internet. The AADC took effect on September 2, 2020, giving businesses a year’s grace period to come into compliance. The code sets out 15 standards of age-appropriate design reflecting a risk-based approach, focusing on default settings that ensure children have internet access while minimizing data collection and use. United States lawmakers applauded the AADC, which introduced legislation updating the Children’s Online Privacy Protection Act (“COPPA”). American lawmakers’ updates echoed the AADC, such as by extending protection beyond services targeted to children, where companies should reasonably know that kids are on their platforms.
The AADC has also had an incredible impact on the recent California bill, California’s Age-Appropriate Design Code Act, which passed in the State Senate by a unanimous vote of 33-0. The California bill grants an even more considerable grace period of almost two years, becoming operative on July 1, 2024. The bills are practically identical down to their titles. The California bill has incorporated a majority of the AADC’s codes, including: extending protection to services, products, or features “likely to be accessed” by children; determining the risk to children through an initial Data Protection Impact Assessment; estimating the age of child users with a “reasonable level of certainty;” and configuring default settings to a high level of privacy unless the business can demonstrate a compelling reason otherwise. Furthermore, Section 1(d) of California’s bill calls for American companies to look toward the AADC for guidance when developing their online services.
California’s Age-Appropriate Design Code Act notably parts from the AADC in one crucial way by exempting the delivery or use of physical products. However, in the U.K. code, physical toys or devices which are connected to the internet are incorporated under the 14th standard. One example the AADC provides is a talking teddy bear with a microphone that records what the child is saying and sends the data back to the company so they can personalize its responses. The ability to personalize a conversation with a children’s toy may be a disturbing example to some, but a technological innovation to others.
Nonetheless, today there are many devices, not just talking teddy bears, that are collecting data in the home. In 2017, researchers found that of 1,454 U.S. parents with children ages 0-8, 95 percent of homes had a smartphone, 78 percent had a tablet, and 42 percent of children had their own mobile device. Smart devices in the home can be incredibly useful in getting directions or curating a playlist. Still, they also leave a record of your location and interest while utilizing their many features. California legislators acknowledge that “children need special safeguards and care in all aspects of their lives,” so why would California’s new robust children’s safety bill exclude physical products that children interact with on a daily basis?
One answer to this question lies in the criticism that California’s bill is a broad mandate that could pose problems for businesses. Thus, the exclusion may be legislators’ attempt at accommodating industry concerns or reducing their quantity. It comes as no surprise that Technet, a tech industry association whose members include Amazon, Apple, Cisco, Google, Oracle, Pinterest, Snap, and Meta (previously Facebook), is one of the California bill’s most outspoken critics. The conglomerate calls for narrowing the bill’s scope, arguing that in its current state, the language “likely to be accessed” by children requires more online services than necessary to be compliant. Similarly, the News/Media Alliance, a trade group representing 2,000 publishers, has lobbied for changes based on the claim that the bill would require newspapers and magazines to take on high costs of implementing age verifications or creating safe versions of articles for children.
Critics also emphasize that requiring estimating age to a reasonable certainty would undermine the bill’s principal objective. In addition, age verification will likely require the user to submit personal data, which would present a privacy risk. The AADC illuminates a series of options to estimate users’ ages, from artificial intelligence analyzing how the user interacts with a service, to “hard identifiers” such as a passport. There is an apparent tradeoff between higher accuracy in estimating age and collecting more data about the user.
While the AADC has influenced dramatic shifts in online safety protections for children in the United States, the California Age-Appropriate Design Code Act leaves out important language regarding the use of physical products. It seems legislators are focusing on getting businesses to become more aware of their impact on children while pushing off established bright lines for businesses, as indicated by an almost two-year grace period. For now, businesses are left with a looming deadline as they observe those across the pond continue to grapple with the now-in-effect AADC.
Student Bio: Andrew Ciulla is a 2L at Suffolk University Law School. He is a staff writer on the Journal of High Technology Law. Andrew received a Bachelor of Arts Degree in International Studies, with concentrations in Ethics and Social Justice, from Boston College.
Disclaimer: The views expressed in this blog are the author’s alone and do not represent the views of JHTL or Suffolk University Law School.